High street shoe retailer Office has confirmed that it suffered an attack last week, with an attacker gaining unauthorised access to some of its online accounts.
It confirmed that the incident occurred on 22nd May and it detected this four days later. No credit card, debit card, Paypal or bank details were compromised in any way, but the affected information does include names, addresses, phone numbers, email addresses and passwords. All affected customers have been contacted directly via email and passwords have been reset.
Following the breaches at Target, Spotify and eBay this year, the incident marks more trouble for online services who appear to be successfully targeted. In a statement sent to users and on its website, it said: “The protection of customer data is of the utmost importance to us and we are treating this extremely seriously. Our customers remain our number one priority and we have taken the necessary measures to secure all customer information.
“We will update affected customers if we get any more relevant information. We are sorry that this has happened and we would like to thank all Office customers for their continued support and understanding.”
Brendan Rizzo, technical director at Voltage Security, said: “Office has stated that financial data has not been compromised in this breach, but stopped short of disclosing what personal customer information was actually left unprotected. Most retailers do collect personal information on their customers such as their addresses, identification numbers and dates of birth. If left unprotected, this information would give the attackers almost all of the information they need to undertake fraudulent activity on the a compromised user’s behalf.”
Jason Hart, VP of cloud solutions at SafeNet, said: “Data breaches are not just breaches of security. They are also breaches of trust between companies and their customers. With the increasing frequency and size of data breaches, customers are losing more than their financial information.
“Cybercriminals are going after easier targets, and that is often personal data which is often unencrypted. Because companies are storing more and more customer data, it’s only a matter of time before companies will have to start protecting more of that data with encryption.”
Speaking to IT Security Guru, Dr Guy Bunker, cyber security analyst at Clearswift, said
that the challenge now is that in these incidents, everyone always says “no financial information was put at risk”, but this leads to phishing emails. “If you are a customer, you are asked if you could ‘please switch your password’ and change what you need to change, and that is the access the phisher needs to get at the financial information,” he said.
“So even though financial information wasn’t breached there, with the information they have got this enables the attacker to get through to the financial information and do the fraudulent action.”
Security analyst Graham Cluley pointed out on his blog that there was no mention of the security breach on Office’s homepage or even its blog. He asked: “Has no-one learnt anything from eBay’s shambolic response to its own security breach?
Paul Martini, CEO at iboss Network Security, said: “There is no dress rehearsal for Office. Failure to communicate is failure to protect, but speed of information is everything when it comes to handling a hacking incident. Customers rarely read emails instantly, but they are on Twitter and Facebook throughout the day.
“The trend of organisations revealing that a hack has taken place in an email and delaying the education process, must come to an end. Organisations must communicate across every channel – the company website, Facebook, Twitter – or risk increasing the damage caused by the hack.”